Julian Critchlow from Extreme Networks explains how organisations can maintain high security standards in the remote work environment without uprooting usability.
In a world where working from home has become the norm, there’s more focus than ever before on network security.
Rather than sitting behind corporate firewalls, staff are now more likely to be accessing applications and databases using domestic Wi-Fi networks and internet connections. In many cases, they will also be using personal devices for work-related activities.
It’s a situation that’s been dubbed the “infinite enterprise”. The boundaries that once defined businesses have dissolved and activity is now conducted from almost any location.
As a result, the need for network, application and system security has never been higher. This, in turn, is focusing attention on the strategy of zero trust.
A new approach to security
Once you cut through the marketing hype, it’s clear that zero trust has much to offer in this infinite enterprise era. The concept of allowing only identified users, applications and databases to connect is an effective way to ensure strong security in a distributed environment.
However, it’s widely believed that security and usability are often opposed to each other. For this reason, many people consider that the infinite enterprise and zero trust have to be considered as polar opposites. Wrong.
They argue that there will need to be trade-offs. It’s thought you have to either favour the infinite enterprise concept with better usability or instead opt for stronger security.
Starting the zero-trust journey
Thankfully, reality is different and there is no need to trade off usability for strong security as long as zero trust is deployed in the correct way.
To assist with this, the US-based National Institute of Standards and Technology (NIST) has produced a special publication called Zero Trust Architecture. The tenets of zero trust outlined in the document represent a gold standard for how the strategy should be deployed.
One factor that needs to be considered is the approach to micro-segmentation of services. Hybrid work models mean policy enforcement points (PEPs) are now more critical than ever. The value network infrastructure can add, along with new and inherently more secure fabric-based designs, will come to the fore. There are many examples of critical protocols for which there is little or no authentication so a line will have to be drawn. Where secure alternatives do exist, a decision has to be taken about whether their implementation should be mandated.
Network scanning and zero trust
Effective micro-segmentation should flip the paradigm where networks and PEPs leave services “dark” by default. Network teams then can decide whether it will be possible for unauthenticated systems to perform scanning and other reconnaissance tools to look for services in a zero-trust world. History shows node-by-node configurations, especially with security in mind, are prone to error and attrition over time. This is where fabric-based networks have a distinct advantage, especially with prevention of “lateral network movement”.
Also, the question needs to be asked as to whether IT teams are considering the challenge only from the perspective of segmenting services. Unfortunately, enterprise networks are running services and networked clients with vulnerabilities in them right now. It doesn’t matter whether it’s a web application, the latest release of the Chrome browser, OpenSSH, or even the use of Link Layer Discovery Protocol (LLDP) as all have their own weaknesses.
The best protocols for a zero-trust environment
Some zero trust architectures build on the notion of services connected over either transport layer security (TLS) or the stronger mutual transport layer security (mTLS). This approach is well known to most, however, given that both data at rest and workforces are now disparately located for most organisations, increased data encryption should be top of mind.
Zero trust principles rightly question whether this is desirable or indeed necessary to successfully deploy the strategy. Experience is showing that the answer is certainly “yes”.
Much is said about the benefits of zero trust. We must always remember there can be no perfection, but we must always strive to achieve it. Assessing exploitability in an enterprise is not easy. For example, ransomware is a significant problem that seems currently to be ever increasing.
Zero trust is not about providing an “offramp” for certain classes of vulnerabilities that are widely exploited. The tenets, components and policies of zero trust are an enabler of both the infinite enterprise and strong security.
It provides a set of organising principles that can be adopted iteratively over time. Consider how your organisation can put this rapidly evolving strategy to work.
Julian Critchlow is the ANZ general manager at Extreme Networks.